Is Open-Source Security Software Safe?

December 10, 2001

By Alex Salkever Will the average bank care if the hacking underground can examine the basic source code of the security software protecting its networks? That's what information-security company Guardent is about to find out.

On Dec. 11, the Waltham (Mass.)-based company rolled out a hardware security appliance that relies solely on open-source programs to protect customers. Guardent will use these appliances, priced at $1,500 a pop, to monitor and guard corporate networks. That's a fraction of the cost of most integrated security appliances.

One small step for Guardent, one giant leap for open-source security. Corporations are loath to take a chance on a piece of security software they don't completely trust. But Guardent doesn't seem to be worried. Open-source proponents have long argued that their software is more secure due the exposure of the raw code to thousands of eyeballs, and the ability of anyone using the software to incorporate code changes to quickly patch vulnerabilities. What's more, Guardent will emphasize top-quality service first, good software second. "The thing that has the value is the service, rather than the software itself," says Guardent co-founder Daniel R. McCall.

CHEAPER PACKAGE. A quick look under the hood of Guardent's new box reveals no surprises. The device incorporates a handful of customized versions of well known open-source security software tools including the Snort intrusion-detection package, the Nessus vulnerability scanner, and the IPTables firewall program. Guardent will manage the devices using specialized software backed by a PostGres database, another open-source system.

"By combining these things, you get something that transcends what straight firewalls and straight intrusion-detection system [IDS] can offer," says Guardent Chief Technology Officer Gerard Brady. "You can put the thing together at a cost where the hardware, the software, and the service for a year come in around the same cost of a traditional IDS system with just the hardware to run it."

Guardent isn't alone. Other vendors are starting to incorporate open-source programs as part of their security solutions. Big systems integrator EDS markets a package of open-source security programs to credit unions from German company Astaro. Security company Silicon Defense offers commercial support contracts for Snort. Web-server specialist Covalent sells and supports a secure version of the popular open-source program Apache that wraps intrusion detection and antivirus capabilities in the same package. IBM, too, uses open-source security products in its consulting and technology-management contracts.

UNLIMITED ACCESS. Although no one tallies the number of corporations using open-source security software, something must be going on in the market. "It could be there are more people out there who use the open-source security and firewall tools, but it never gets reported because no one executed a purchase order for it," speculates Brian Behlendorf, the CTO of Collabnet, which has done a lot of work on open-source products.

Open-source proponents argue that, by making the code visible to all, possible security holes will likely have been spotted. They also say the ability to make quick changes in the code is a boon, as is the fact that the user wields ultimate control. "With open-source software, we are assured that we will have access to the software for as long as we desire," says Grant Wagner, the technical director of the Secure Systems Research Office at the National Security Agency.

Most important, removing the cost of software licenses makes a huge difference in the competitive field of managed security services, where Guardent hopes to make a big splash. Co-founder McCall thinks he can maintain profit margins in the 60% to 70% range with the open-source appliance. All of this might sound familiar to those who have watched Red Hat's struggle to create a workable model, one in which software is free and service revenues generate the profit. If that effort is any guide, driving open-source security software into the mainstream will doubtless prove a very difficult task.

SEALS OF APPROVAL. The open-source movement rarely puts a premium on nifty interfaces that can make it easier to manage and configure software. But that's precisely what network engineers need to give them easier tools for operating firewalls and IDS systems on large corporate networks. "The people who are really good at building open-source things are happy with a less sophisticated interface," explains Gary McGraw, CTO of Cigital and an expert in building secure software. "Part of being a good firewall is the quality of the code, but don't forget that someone has to manage the firewall."

Open-source security products will struggle down the road unless they can obtain seals of approval such as the Federal Information Processing Standard audit, as administered by the National Institute of Standards & Technolgy. Those audits are mandatory before the federal government signs certain types of contracts. But open-source projects rarely can raise the cash to pay for and maintain these audits. That's not even considering how an audit could be conducted on a constantly changing body of code.

Another potential problem: As open source pushes into more complex pieces of software, such as firewalls and IDS, frequent code-patching can spawn its own difficulties. "If there is a problem, somebody patches it. People like that about open source," explains Mary Ann Davidson, the chief security officer at Oracle, who adds: "But if you are a company with a large code base, these alterations ripple through all the products that depend on it. So patching every week destabilizes your code base."

CRUNCH TIME. Davidson is quick to point out that she's not opposed to open-source code in principle. In fact, Oracle considered using open-source libraries of cryptograhic algorithms a few months ago, but it rejected that approach in part due to a belief that product support would be superior from an established proprietary-code vendor.

Now comes the moment of truth: How many companies are willing to put everything on the line with open-source software as their bulwark again malicious hackers and other intruders? While the algorithms themselves are very public, "I have never seen anyone using open-source cryptography software in really heavy duty, mission-critical applications," says Davidson.

Guardent says it counts one of the 10 largest financial institutions in the country among the beta customers for its open-source appliance. True, that unnamed outfit isn't using the device to protect bond-trading systems or anything else quite so sensitive. But if Guardent can show that management and service are more important than the code itself, that could mark a huge opportunity for open source to pile into a market where high software costs still hurt. Salkever covers computer security issues twice a month in his Security Net column, only on BusinessWeek Online